Home page logo
/

basics logo Security Basics mailing list archives

Re: store passwords securely in the internet
From: Tristan Mott <tristan.mott () mammothmedia com au>
Date: Wed, 14 Apr 2010 11:09:40 +1000



On 13/04/2010 7:37 PM, Laurens Vets wrote:
Hello,

I've written a program to store your passwords secure in a container on
a server. It's written for the Horde framework and is called eleusis (
http://h4des.org/index.php?inhalt=eleusis ). The idea was to have your
passwords everytime available when you are online even when you are
using an internet cafe or a pc at work.

When the user creates a passwordstore, he must give a masterpassword.
With this masterpassword every password you want to save will encrypt
with blowfish. For every step (reading, writing) you have to enter the
masterpassword, because nothing will write unencrypted to the hard disk.
The masterpassword is never stored. When the user entered the
masterpassword, the program will decrypt the container and check the
header. If the header is correctly decrypted, the program will continue
its work, if not, it will show you an error message.

The whole project is written in php. A weak point of the program is the
http protocol. When the user doesn't use https to transfer the data the
passwords will send decrypted over the net.

I hope there is any use for this program and I'm glad if anyone of you
send me any critics or suggestions.

Wouldn't using Dropbox + KeePass be a quicker and safer way of
accomplishing the same?


Yeah, that's the method I use. Btw, I just have to chime in and point out that it's a BAD IDEA (tm) to use any password you can't afford to lose on a machine you can't trust implicitly (prime example, an internet cafe machine, and maybe even a pc at work you don't control). Keyloggers are a great way of circumventing the best laid plans regarding encryption and security. Even the strongest encryption relies on the security of the endpoints.

T

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]